Privacy Statement of a.s.r. real estate

Personal data protection policy of ASR Vastgoed Vermogensbeheer B.V.

1 Who we areASR Vastgoed Vermogensbeheer B.V. (hereinafter referred to by its trading name a.s.r. real estate) is a division of ASR Nederland N.V. and is responsible for the processing of personal data.

2 What personal data do we process?If you apply for a lease, partnership agreement, investment or a financial or other service from a.s.r. real estate or if you provide us with a service, we will ask for your personal data. You provide us with this data through your adviser/intermediary (hereinafter referred to as adviser) or directly via our website, by email or by telephone.

a. Name and address detailsThe personal data we process depends on the type of contact we have with you:

If you visit our websites, we will use your IP address to collect data on which websites you have visited, as well as data on your visit to our website, cookies and cookie settings.

If you request information from us, we will ask you to provide us with your contact details so that we can send you the information.

If you become a client, we will require at least your contact details (name, address, telephone number and email address). We use this data to ensure performance of the agreement we have with you.

If you apply for a job with us, we will ask for your CV, diplomas (where applicable) or the outcomes of personal assessments and other personal data, where applicable. With your consent, we will store this data for a period not exceeding 12 months following your job application.

b. Financial dataIf you are a client of ours, we will use your bank account number to make and collect payments.

We also have access to your salary details if we require these to determine whether you qualify for a rental property or to determine a rent increase of the property you rent.

c. BSNIn some cases, we also hold your citizen service number (Dutch acronym: BSN). This will be the case, for instance, for land tenancy agreements as we are obliged to pass your citizen service number to the agricultural tenancies authority. We will process your BSN only when we have legal grounds to do so.

d. Data about your contact with usWe process data about the contacts you have had with us: • The contact was about (product, advice, offer, service discussion, message, complaint, information); • When the contact took place and with which department; • How the contact took place (by post, via the website, by email, via the newsletter or an adviser).

We use this data to see what contact we have previously had with you. If it concerned a question, a complaint or advisory opinion, we will be able to see this in your client file and will be able to help you better when you next contact us.

3 Where do we obtain your data from?In most cases, we obtain the data directly from you. Besides the information that we obtain from you, we may also receive and process data from third parties, such as the Dutch Tax & Customs Administration, the Chamber of Commerce or other third parties, such as market research agencies. We record the sources of data we have received in our processing register if these sources are known. Where possible, we will inform you of the sources from which we receive information.

4 Why do we process your data?We process personal data for the following reasons:

a. Service provisionWe use your contact details to get in touch with you, to assess whether you can become a client or business partner of ours or to amend our agreement. We may use your data to manage your agreement and to handle questions, complaints and financial affairs.

b. Risk mitigationWe also use your data to mitigate risks, for instance by:• Tracking your IP address when you visit our website. We use your IP address to help us improve our services. In exceptional cases, we also investigate who is behind an IP address, for instance, to combat fraud. • Ensuring a good level of security. This includes user names, passwords and security questions.• Performing an internal quality review of potential problems and risks, and assessing whether statutory compliance has been achieved.• Ensuring that we maintain the health and integrity of our business (risk management).

c. Marketing activitiesWe like to keep you up-to-date, for instance by sending emails, newsletters, special offers on our website or via social media, or by targeted advertising in apps and on third-party sites and social media. We also use your personal data for these.We do so by: • Assessing which a.s.r. products and services you use and which you do not, for instance by using cookies. For more information, see our cookie policy. • Logging your choices and search terms, for instance if you visit our web pages or apps, or open our emails, such as the newsletter. And we analyze these. • Combining the data that we have gathered with personal data (e.g. an insurance application) as well as general data from other sources (e.g. the Chamber of Commerce).

If you prefer not to receive personalized offers, you can opt out via the contact details section at “Who we are”.

d. Improvement and innovationWe also use your personal data to personalize our products and services. We do so by combining and analyzing the data. These analyses inspire new ideas and improved solutions. These analyses enable us to:• Resolve the root cause of problems, improve pages and forms on the website and speed up processes. • Measure how clients use our services and assess the result of a campaign. And to improve things, where necessary. • Develop new services. • Create reports of our analyses and insights, and use these to provide information services at an aggregated level. When creating reports and analyses, we remove any personal data that we do not need, where possible. We can also combine data at a certain level of abstraction (aggregation), encode it (pseudonymization) or anonymize it.

e. Identifying fraud and abuseWe also store data for the purposes of identifying fraud, abuse and improper use. In doing so, we follow the Insurance and Criminality Protocol and the Financial Institutions Incident Warning System Protocol. Both protocols have been drafted by the Dutch Association of Insurers.

5 What is the legal basis for using your personal data?We process your personal data based on one of the following legal bases: a. You have given consent*. b. The processing is required for the performance of the agreement, e.g. a lease.c. The processing is required to comply with a statutory obligation**, for instance asking for a copy of an identity document in order to verify your identity.d. The processing is required in order for us to defend a legitimate interest, for instance when we investigate suspected fraud. When we do so, we have to strike a balance between the legitimate interest of ourselves or a third party and your interests. We will weigh up these interests in writing and inform you of this as soon as possible.

*ConsentWe only ask for your consent where required for the processing of your personal data. If we process personal data after you have given us your consent, you may withdraw your consent at any time. You can do so by contacting us by telephone or by email. Our contact details can be found above at 1 (“Who we are”). They are also listed at the bottom of every newsletter we send you.

**Statutory obligationFinancial services providers are subject to many statutory obligations. We are a financial services provider, which is why we are required to verify your identity if you become a client of ours (identification obligation), and in certain cases we are under an obligation to provide data to government bodies. We will ask for this data as a consequence of these obligations. Failing to provide this data may have certain implications for you. If we are unable to verify your identity, we will not be able to enter into an agreement with you. If we have not received information on your criminal record, or if the information was incorrect, we will not be able to conclude an agreement with you. If an agreement has already been concluded based on incorrect information, we are entitled to terminate it.

6 How do we secure your data?We handle your data with due care and take the necessary technical and organizational measures to ensure an appropriate level of protection.

Technical and organizational measuresWe have taken technical and organizational measures to protect your data from loss or unlawful processing. These include measures to ensure the secure use of our website and IT systems, and to prevent abuse. They also include the security of physical spaces where data is stored. We have in place an information security policy and train our employees in the field of personal data protection. Only authorized personnel can see and process your data. All our employees have sworn an oath or affirmation. Employees swear or affirm that they will abide by legislation, regulations, codes of conduct, and that they will act with integrity.

7 How long do we store your data?We do not retain your data any longer than necessary. In some cases, the law determines how long we may or must keep data. In other cases, we have made our own determination of how long we need to retain your data. In this context, we have established a comprehensive retention periods policy. For example, we keep client files for seven years following the end of the relationship with a.s.r. real estate. However, we hold onto real estate files for at least ten years following the end of the relationship with a.s.r. real estate. If you have any specific questions about this, please contact the Data Protection Officer.

8 Who do we share your data with?We only provide personal data to third parties if this is permitted by law and is required for the business operations of a.s.r.

1. At ASR Nederland N.V.If you are a customer of one of the labels (De Amersfoortse, Ardanta, Ditzo, De Europeesche Verzekeringen), which are divisions of ASR Nederland N.V. in addition to a.s.r. real estate, we may share your personal data with one of the other labels of ASR Nederland, for instance as part of a responsible underwriting policy and to prevent fraud.

We can also share data between the various departments of ASR Nederland to process your application or to gain an understanding of the products and services you have with us. This allows us to provide you with a better service. It is possible that you will receive offers for other products of the labels that come under ASR Nederland N.V. If you do not wish to receive offers for other products, you can let us know. If you have an adviser, you will only receive messages from us in coordination with your adviser.

2. GovernmentSometimes we are under a statutory obligation to pass on certain personal data to the government. This includes the Dutch Tax & Customs Administration, the Employee Insurance Administration Agency, the police, the judicial authorities or regulators, such as the Dutch Central Bank (DNB), the Netherlands Authority for the Financial Markets (AFM) and the Dutch Data Protection Authority.

3. Service providers and business partnersIf permitted by law, we can share data with your adviser where this is required to provide the service. We sometimes need your consent for this.

We also engage other businesses to provide services on our behalf relating to the contract that you have concluded with us. For real estate transactions, for instance, these will include a real estate manager, a surveyor, a civil-law notary or a maintenance or repair company. We will make arrangements with these parties to ensure that your personal data remains protected.

We may also outsource the processing of personal data to third-party data processors. For instance, we engage IT service providers to arrange for maintenance and support functions. These IT service providers are deemed to be processors because they do not have independent control of the personal data that is provided by a.s.r. real estate to the IT service provider for the service to be provided. In these situations, a.s.r. real estate remains responsible for the due processing of your data.

4. CIS databaseTo ensure a responsible underwriting and risk policy, and to prevent fraud, we record your data in the Central Information System (CIS) of Stichting CIS. Stichting CIS is a foundation that can support insurers with their underwriting and claims processes. Subject to strict conditions, we can share data with insurers affiliated with CIS via Stichting CIS. For more information, see the website of Stichting CIS.

5. Third parties outside the European Economic Area (EEA)If we share data with a service provider in a country outside the EEA, we will make arrangements with them so that we always comply with the rules that have been agreed within the European Economic Area. We will then use the standard clauses, i.e. model contracts approved by the European Union to ensure that a sufficient level of protection of personal data is achieved.

9 What are your rights?1. Access to and rectification of dataYou have the right to ask us what personal data of yours we process and to ensure that incorrect data is rectified or removed.

We will ask security questions or ask for a copy of your ID* in order to verify your identity.You will receive our reply within four weeks.

*IDWhen providing a copy of an identity document, your passport photo and citizen service number (BSN) must be obscured. We also recommend to mark on the copy that it is intended only for the purpose of exercising your personal data protection rights.

2. Right to erasure (‘right to be forgotten’)In a number of cases and subject to conditions, you have the right to have your personal data that we hold erased. This is the case when: • The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;• You have withdrawn your consent for processing;• You make a reasoned objection to the processing; • Your personal data has been unlawfully processed by us;• The personal data has to be erased for compliance with a legal obligation; • It concerns personal data about your child that was collected in connection with a direct offer of online services to your child.

The right to be forgotten is not an absolute right. We can decide to reject your request and not to erase your data if your request is not based on one of the aforementioned reasons, or (i) in order to exercise the right to freedom of expression and information; (ii) in order to comply with a statutory obligation; or (iii) to establish, exercise or defend a legal claim.

If we reject your request to erase your personal data, we will inform you of the reasons why we are unable to honour your request.

3. Restriction of processingIf you believe that we are processing your information unlawfully or that the data processed by us is incorrect, you can request that the processing be restricted. This means that we may no longer process the data.

4. Data transfers (data portability)You have the right to obtain a copy of the personal data that you have provided to us for the performance of the agreement that you have concluded with us or based on your consent. This only concerns personal data that we have received from you and not data that we have received from third parties. The aim of this right is to enable you to easily transfer this data to another party.

5. Right to objectYou always have the right to object to the processing of your personal data that takes place based on our legitimate interest or the legitimate interest of a third party. In that case, we will no longer process your data unless there are compelling legitimate grounds for processing that take precedence, or that relate to the establishment, exercise or defence of legal claims.

6. Opting out of personalized offersYou have the right to opt out of newsletters or personalized offers in relation to our insurance, banking products and other financial services. In commercial offers, we will always offer you the option to opt out. We may phone you for commercial purposes. We follow the rules of the Dutch Do Not Call Registry. Visit the website www.bel-me-niet.nl to opt out of commercial cold calling.

10 Email and social media (chat, WhatsApp, Facebook)1. EmailBefore we communicate with you by email, we will ask for your consent, unless you have previously given your consent. You may withdraw your previously given consent at any time.

2. Social mediaYou can choose to contact us by online chat or via our social media pages on Facebook, LinkedIn or via Twitter or WhatsApp. If you contact us through one of these channels, we will store the data you send us through these channels in a secure environment. In order to respond to personal questions in your social media message, we will ask you to share your contact details with us in a personal message (direct message or email). This allows us to verify that we are talking to the right person.

The information we receive from you via these platforms is governed by this personal data protection policy. Use of social media is your own responsibility. This personal data protection policy is not applicable to how social media platforms handle the personal data that you provide. We advise you that many social media platforms are established outside the European Union and store their data outside the European Union. In most cases, the personal data protection legislation of the European Union will not then apply. We encourage you to consult the privacy statements of these social media channels for further information on how they process your personal data.

11 Amendments to personal data protection policyPersonal data protection legislation does not stand still. We may therefore make amendments to this personal data protection policy in order to keep pace with new developments, for instance if our business activities change or if there are changes in statute or case law. For this reason, we advise you to regularly check this privacy statement when you visit one of our websites. We will also actively inform you of any changes to this personal data protection policy by means of a pop-up banner, email or news message on our websites.

12 ProfilingWe compile profiles of our clients based on the data that we collect for the purposes of analyzing this data and thus obtaining insight into (future) actions and preferences. We will then be able to respond appropriately, for instance by sending targeted advertising/information to customers based on their browsing behaviour that has been tracked using tracking cookies. When we do this, we comply with the relevant rules and regulations. This means, for instance, that we ask consent in advance if legally required. This is the case, for instance, for profiling involving special categories of personal data.

13 Questions or complaints?If you have any questions about this personal data protection policy, or if you want to file a complaint about how we deal with your personal data, please contact the Data Protection Officer of ASR Nederland N.V. Send an email to: asr.klachten.asrvv@asr.nl or address a letter to:ASR Vastgoed Vermogensbeheer B.V.Attn.: Complaints ServicePostbus 2008 3500 GA UtrechtThe Netherlands

You can contact us by telephone on +31 (0)30 257 23 80.You can also submit a complaint to the Dutch Data Protection Authority (https://autoriteitpersoonsgegevens.nl/ or call them on 0900-2001201 – in the Netherlands only).